Version 3.0

What's new in CDC Version 3.0

September 2022

Highlights

• Grouped alerts in incidents
• SLA recalculation based on incident lifecycle
• Enable changing alert classification

Grouped Alerts in Incidents

The CDC alert grouping mechanism groups alerts together into incidents (threats). This will help security analysts have better context of the issues they need to handle, and perform faster analysis and reduce the investigation time for similar alerts - working only with incidents that will gather alerts.

For example, let's assume that two alerts are generated in two minutes. The first alert comes from the EDR with information about malware on a host, and the second alert comes from the firewall with the same host communicating with a known C&C address. The CDC will then detect these two alerts and group them together into one incident.

As part of this change to grouping, analysts will no longer work with alerts; the focus will be on incidents. Within the Incidents dashboard, you can now get more informative information about all alerts attached to an incident.

When clicking on an alert, you will see the Alerts view within the Incident view. The alert list contains the following information for each alert:

• Score
• Severity
• Indication that a playbook is waiting for a user action.
• Indication that the alert was updated - the playbook finished running, update of raw data, update of observables, etc.

Note that you can also filter the alerts by creation time and/or by severity.

SLA Recalculation Based on Incident Lifecycle

SLA will now be calculated based on the incident's lifecycle rather than the alert's lifecycle.

The SLA's setting is based on the incident's priority (Settings > SLA). The priority will be in sync with the priority setting in the CDC (Fields Configuration > Incident > Incident Priority).

SLA will be calculated from the time the incident was created until an analyst takes ownership.

Note: During the deployment the priority must be set; it will not be done automatically by the CDC.

Enable Changing an Alert's Classification

You can update an alert’s classification when you have a different or new insight into data. This allows for better analysis of incidents.

You can download rules in CSV format, create the rules, and then upload them back to the platform.

The alert Classification field is in the General alerts tab. The classification can be changed here, and you can add a new classification as well.

If the field is updated and the value matches one of the classification settings in the CDC, the CDC will update it; otherwise it will be ignored.

Note that an update of a classification will not automatically trigger playbooks or the rules mechanism. When updating the classification, a message will be written in the alert’s chat and timeline.

Known Issues

• Unable to scroll information in raw data (CYB - 171213).